4768(S, F): A Kerberos authentication ticket (TGT) was requested.

  • Commodity
  • 26 minutes to read

Event 4768 illustration.

Subcategory:  Audit Kerberos Hallmark Service

Effect Description:

This issue generates every time Cardinal Distribution Middle issues a Kerberos Ticket Granting Ticket (TGT).

This event generates only on domain controllers.

If TGT issue fails then you volition see Failure event with Result Code field not equal to "0x0".

This event doesn't generate for Result Codes: 0x10 and 0x18. Event "4771: Kerberos pre-authentication failed." generates instead.

Annotation

For recommendations, see Security Monitoring Recommendations for this effect.

Event XML: 

              - <Effect xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System>  <Provider Proper name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />   <EventID>4768</EventID>   <Version>0</Version>   <Level>0</Level>   <Task>14339</Task>   <Opcode>0</Opcode>   <Keywords>0x8020000000000000</Keywords>   <TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" />   <EventRecordID>166747</EventRecordID>   <Correlation />   <Execution ProcessID="520" ThreadID="1496" />   <Channel>Security</Aqueduct>   <Calculator>DC01.contoso.local</Estimator>   <Security />   </System> - <EventData>  <Data Proper name="TargetUserName">dadmin</Data>   <Data Proper noun="TargetDomainName">CONTOSO.LOCAL</Information>   <Information Proper name="TargetSid">Southward-1-5-21-3457937927-2839227994-823803824-1104</Data>   <Information Proper name="ServiceName">krbtgt</Data>   <Data Name="ServiceSid">S-i-5-21-3457937927-2839227994-823803824-502</Data>   <Data Proper name="TicketOptions">0x40810010</Data>   <Information Proper name="Status">0x0</Information>   <Data Proper name="TicketEncryptionType">0x12</Information>   <Data Proper noun="PreAuthType">xv</Information>   <Data Name="IpAddress">::ffff:10.0.0.12</Information>   <Data Proper noun="IpPort">49273</Data>   <Data Name="CertIssuerName">contoso-DC01-CA-i</Data>   <Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>   <Data Proper name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>   </EventData>  </Effect>

Required Server Roles: Active Directory domain controller.

Minimum OS Version: Windows Server 2008.

Event Versions: 0.

Field Descriptions:

Account Information:

  • Business relationship Name [Type = UnicodeString]: the proper name of account, for which (TGT) ticket was requested. Estimator business relationship name ends with $ graphic symbol.

    • User account example: dadmin

    • Reckoner business relationship example: WIN81$

  • Supplied Realm Name [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs to. This tin appear in a variety of formats, including the following:

    • Domain NETBIOS proper name example: CONTOSO

    • Lowercase full domain proper noun: contoso.local

    • Capital full domain proper noun: CONTOSO.LOCAL

    Note

    A Kerberos Realm is a set of managed nodes that share the aforementioned Kerberos database. The Kerberos database resides on the Kerberos master reckoner arrangement, which should be kept in a physically secure room. Active Directory domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.

  • User ID [Type = SID]: SID of account for which (TGT) ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account proper noun. If the SID cannot be resolved, you will run into the source data in the event.

    For example: CONTOSO\dadmin or CONTOSO\WIN81$.

    • Nada SID – this value shows in 4768 Failure events.

    Annotation

    A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such every bit an Active Directory domain controller, and stored in a security database. Each time a user logs on, the arrangement retrieves the SID for that user from the database and places it in the access token for that user. The organization uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot always be used over again to place another user or grouping. For more than information well-nigh SIDs, see Security identifiers.

Service Information:

  • Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT request was sent. Typically has value "krbtgt" for TGT requests, which means Ticket Granting Ticket issuing service.

    • For Failure events Service Name typically has the post-obit format: krbtgt/REALM_NAME. For example: krbtgt/CONTOSO.

  • Service ID [Type = SID]: SID of the service business relationship in the Kerberos Realm to which TGT request was sent. Upshot Viewer automatically tries to resolve SIDs and show the business relationship proper noun. If the SID cannot be resolved, you will come across the source data in the effect.

    Domain controllers have a specific service account (krbtgt) that is used past the Key Distribution Center (KDC) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S-1-5-21-DOMAIN_IDENTIFIER-502.

    • Zip SID – this value shows in 4768 Failure events.

Network Information:

  • Client Accost [Blazon = UnicodeString]: IP address of the computer from which the TGT asking was received. Formats vary, and include the post-obit:

    • IPv6 or IPv4 accost.

    • ::ffff:IPv4_address.

    • ::1 - localhost.

  • Client Port [Blazon = UnicodeString]: source port number of customer network connection (TGT asking connection).

    • 0 for local (localhost) requests.

Additional information:

  • Ticket Options [Type = HexInt32]: this is a set of different ticket flags in hexadecimal format.

    Instance:

    • Ticket Options: 0x40810010

    • Binary view: 01000000100000010000000000010000

    • Using MSB 0 bit numbering nosotros have flake 1, 8, 15 and 27 fix = Forwardable, Renewable, Canonicalize, Renewable-ok.

Notation

In the tabular array below "MSB 0" bit numbering is used, because RFC documents use this style. In "MSB 0" style fleck numbering begins from left.

MSB illustration

The most common values:

  • 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok

  • 0x40810000 - Forwardable, Renewable, Canonicalize

  • 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

Bit Flag Name Description
0 Reserved -
one Forwardable (TGT simply). Tells the ticket-granting service that information technology can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.
2 Forwarded Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.
3 Proxiable (TGT only). Tells the ticket-granting service that information technology can upshot tickets with a network accost that differs from the one in the TGT.
4 Proxy Indicates that the network address in the ticket is unlike from the one in the TGT used to obtain the ticket.
5 Allow-postdate Postdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
vi Postdated Postdated tickets SHOULD NOT exist supported in KILE (Microsoft Kerberos Protocol Extension).
7 Invalid This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.
eight Renewable Used in combination with the End Time and Renew Till fields to crusade tickets with long life spans to be renewed at the KDC periodically.
ix Initial Indicates that a ticket was issued using the authentication service (As) commutation and non issued based on a TGT.
10 Pre-authent Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It tin also flag the presence of credentials taken from a smart card logon.
xi Opt-hardware-auth This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST Non outcome a ticket with this flag fix. KDCs SHOULD Non preserve this flag if it is set by another KDC.
12 Transited-policy-checked KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.
13 Ok-as-consul The KDC MUST set the OK-AS-Delegate flag if the service account is trusted for delegation.
14 Asking-anonymous KILE not employ this flag.
fifteen Proper noun-canonicalize In social club to asking referrals the Kerberos customer MUST explicitly request the "canonicalize" KDC option for the As-REQ or TGS-REQ.
sixteen-25 Unused -
26 Disable-transited-check By default the KDC volition cheque the transited field of a TGT against the policy of the local realm before it will consequence derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this bank check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must exist checked locally. KDCs are encouraged simply not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE.
27 Renewable-ok The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still exist express past local limits, or limits selected by the private principal or server.
28 Enc-tkt-in-skey No information.
29 Unused -
thirty Renew The RENEW option indicates that the present asking is for a renewal. The ticket provided is encrypted in the secret central for the server on which it is valid. This option will merely be honored if the ticket to be renewed has its RENEWABLE flag set and if the fourth dimension in it's renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the hallmark header.
31 Validate This choice is used only by the ticket-granting service. The VALIDATE choice indicates that the asking is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.

Table 2. Kerberos ticket flags

Annotation

KILE (Microsoft Kerberos Protocol Extension) – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization data including grouping memberships, interactive logon information, and integrity levels.

  • Upshot Code [Type = HexInt32]: hexadecimal result code of TGT issue operation. The "Table 3. TGT/TGS issue error codes." contains the list of the most common mistake codes for this event.
Lawmaking Lawmaking Name Clarification Possible causes
0x0 KDC_ERR_NONE No fault No errors were found.
0x1 KDC_ERR_NAME_EXP Client'southward entry in KDC database has expired No data.
0x2 KDC_ERR_SERVICE_EXP Server's entry in KDC database has expired No information.
0x3 KDC_ERR_BAD_PVNO Requested Kerberos version number not supported No information.
0x4 KDC_ERR_C_OLD_MAST_KVNO Client's primal encrypted in one-time primary key No information.
0x5 KDC_ERR_S_OLD_MAST_KVNO Server's key encrypted in old master fundamental No information.
0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database The username doesn't exist.
0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Server not plant in Kerberos database This error tin can occur if the domain controller cannot observe the server's proper name in Active Directory. This error is similar to KDC_ERR_C_PRINCIPAL_UNKNOWN except that information technology occurs when the server proper noun cannot be found.
0x8 KDC_ERR_PRINCIPAL_NOT_UNIQUE Multiple chief entries in KDC database This error occurs if indistinguishable principal names be. Unique principal names are crucial for ensuring common authentication. Thus, duplicate primary names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one.
0x9 KDC_ERR_NULL_KEY The client or server has a null key (principal key) No primary key was found for client or server. Usually it means that administrator should reset the password on the account.
0xA KDC_ERR_CANNOT_POSTDATE Ticket (TGT) not eligible for postdating This fault tin occur if a client requests postdating of a Kerberos ticket. Postdating is the human action of requesting that a ticket's start fourth dimension be set into the future.
Information technology also tin occur if there is a fourth dimension difference between the client and the KDC.
0xB KDC_ERR_NEVER_VALID Requested start fourth dimension is later than end fourth dimension There is a fourth dimension difference between the KDC and the client.
0xC KDC_ERR_POLICY Requested kickoff time is afterwards than end time This error is usually the outcome of logon restrictions in place on a user's account. For instance workstation restriction, smart carte authentication requirement or logon time restriction.
0xD KDC_ERR_BADOPTION KDC cannot accommodate requested pick Impending expiration of a TGT.
The SPN to which the customer is attempting to delegate credentials is not in its Immune-to-consul-to list
0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for encryption type In full general, this error occurs when the KDC or a client receives a packet that it cannot decrypt.
0xF KDC_ERR_SUMTYPE_NOSUPP KDC has no back up for checksum type The KDC, server, or client receives a packet for which information technology does not have a fundamental of the appropriate encryption blazon. The result is that the reckoner is unable to decrypt the ticket.
0x10 KDC_ERR_PADATA_TYPE_NOSUPP KDC has no back up for PADATA type (pre-hallmark data) Smart menu logon is being attempted and the proper certificate cannot exist located. This can happen considering the incorrect certification authority (CA) is beingness queried or the proper CA cannot exist contacted.
Information technology can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Hallmark templates).
This fault code cannot occur in event "4768. A Kerberos authentication ticket (TGT) was requested". It occurs in "4771. Kerberos pre-authentication failed" event.
0x11 KDC_ERR_TRTYPE_NO_SUPP KDC has no support for transited type No information.
0x12 KDC_ERR_CLIENT_REVOKED Client's credentials have been revoked This might exist because of an explicit disabling or because of other restrictions in place on the account. For example: business relationship disabled, expired, or locked out.
0x13 KDC_ERR_SERVICE_REVOKED Credentials for server accept been revoked No information.
0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets even so agile, it SHOULD cache the sometime PKCROSS keys until the terminal issued PKCROSS ticket expires. Otherwise, the remote KDC volition respond to a client with a KRB-Mistake bulletin of blazon KDC_ERR_TGT_REVOKED. Run across RFC1510 for more details.
0x15 KDC_ERR_CLIENT_NOTYET Client non even so valid—effort once again afterward No information.
0x16 KDC_ERR_SERVICE_NOTYET Server not yet valid—try once more later No information.
0x17 KDC_ERR_KEY_EXPIRED Countersign has expired—change password to reset The user's password has expired.
This error code cannot occur in upshot "4768. A Kerberos hallmark ticket (TGT) was requested". It occurs in "4771. Kerberos pre-authentication failed" issue.
0x18 KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid The wrong password was provided.
This error code cannot occur in event "4768. A Kerberos authentication ticket (TGT) was requested". It occurs in "4771. Kerberos pre-authentication failed" event.
0x19 KDC_ERR_PREAUTH_REQUIRED Additional pre-hallmark required This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do non request pre-authentication when they send a KRB_AS_REQ bulletin. If pre-authentication is required (the default), Windows systems will send this error. Well-nigh MIT-Kerberos clients will reply to this error by giving the pre-hallmark, in which case the error can be ignored, only some clients might non reply in this mode.
0x1A KDC_ERR_SERVER_NOMATCH KDC does not know about the requested server No data.
0x1D KDC_ERR_SVC_UNAVAILABLE KDC is unavailable No data.
0x1F KRB_AP_ERR_BAD_INTEGRITY Integrity cheque on decrypted field failed The authenticator was encrypted with something other than the session fundamental. The result is that the client cannot decrypt the resulting message. The modification of the message could be the consequence of an attack or information technology could be because of network noise.
0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the "Maximum lifetime for user ticket" Kerberos policy setting, the more probable it is that this mistake will occur. Because ticket renewal is automated, you should not have to do annihilation if you become this message.
0x21 KRB_AP_ERR_TKT_NYV The ticket is non nevertheless valid The ticket presented to the server is non yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is beingness attempted, then you should verify fourth dimension synchronization between the KDC in the target realm and the KDC in the client realm, likewise.
0x22 KRB_AP_ERR_REPEAT The request is a replay This fault indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates ane that it has already received.
0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a ticket that was meant for a different realm.
0x24 KRB_AP_ERR_BADMATCH The ticket and authenticator do not friction match The KRB_TGS_REQ is being sent to the wrong KDC.
There is an business relationship mismatch during protocol transition.
0x25 KRB_AP_ERR_SKEW The clock skew is likewise peachy This error is logged if a client computer sends a timestamp whose value differs from that of the server's timestamp by more than the number of minutes found in the "Maximum tolerance for computer clock synchronization" setting in Kerberos policy.
0x26 KRB_AP_ERR_BADADDR Network accost in network layer header doesn't match address inside ticket Session tickets MAY include the addresses from which they are valid. This error tin can occur if the address of the calculator sending the ticket is unlike from the valid address in the ticket. A possible cause of this could be an Cyberspace Protocol (IP) address change. Some other possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used past the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source accost, the ticket could be invalid.
0x27 KRB_AP_ERR_BADVERSION Protocol version numbers don't friction match (PVNO) When an application receives a KRB_SAFE message, it verifies it. If any fault occurs, an fault code is reported for utilise by the application.
The bulletin is kickoff checked by verifying that the protocol version and type fields friction match the current version and KRB_SAFE, respectively. A mismatch generates a KRB_AP_ERR_BADVERSION.
Run into RFC4120 for more details.
0x28 KRB_AP_ERR_MSG_TYPE Bulletin type is unsupported This message is generated when target server finds that message format is wrong. This applies to KRB_AP_REQ, KRB_SAFE, KRB_PRIV and KRB_CRED messages.
This error also generated if use of UDP protocol is beingness attempted with User-to-User authentication.
0x29 KRB_AP_ERR_MODIFIED Message stream modified and checksum didn't friction match The hallmark information was encrypted with the incorrect key for the intended server.
The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the incorrect server because incorrect DNS information caused the customer to send the request to the wrong server.
The customer sent the authentication data to the wrong server because DNS information was out-of-appointment on the client.
0x2A KRB_AP_ERR_BADORDER Message out of order (possible tampering) This event generates for KRB_SAFE and KRB_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. Meet RFC4120 for more details.
0x2C KRB_AP_ERR_BADKEYVER Specified version of key is not bachelor This error might be generated on server side during receipt of invalid KRB_AP_REQ message. If the primal version indicated by the Ticket in the KRB_AP_REQ is not one the server tin employ (due east.g., information technology indicates an old key, and the server no longer possesses a copy of the old key), the KRB_AP_ERR_BADKEYVER error is returned.
0x2D KRB_AP_ERR_NOKEY Service key not bachelor This error might be generated on server side during receipt of invalid KRB_AP_REQ message. Considering it is possible for the server to be registered in multiple realms, with unlike keys in each, the realm field in the unencrypted portion of the ticket in the KRB_AP_REQ is used to specify which secret key the server should employ to decrypt that ticket. The KRB_AP_ERR_NOKEY fault lawmaking is returned if the server doesn't accept the proper cardinal to decipher the ticket.
0x2E KRB_AP_ERR_MUT_FAIL Common hallmark failed No information.
0x2F KRB_AP_ERR_BADDIRECTION Incorrect bulletin direction No information.
0x30 KRB_AP_ERR_METHOD Alternative hallmark method required According RFC4120 this error bulletin is obsolete.
0x31 KRB_AP_ERR_BADSEQ Wrong sequence number in message No data.
0x32 KRB_AP_ERR_INAPP_CKSUM Inappropriate type of checksum in message (checksum may be unsupported) When KDC receives KRB_TGS_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST exist verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error lawmaking of KRB_AP_ERR_MODIFIED) or if the checksum is not collision-proof (with an mistake code of KRB_AP_ERR_INAPP_CKSUM).
0x33 KRB_AP_PATH_NOT_ACCEPTED Desired path is unreachable No data.
0x34 KRB_ERR_RESPONSE_TOO_BIG Besides much data The size of a ticket is too large to be transmitted reliably via UDP. In a Windows surround, this message is purely informational. A calculator running a Windows operating system volition automatically effort TCP if UDP fails.
0x3C KRB_ERR_GENERIC Generic mistake Group membership has overloaded the PAC.
Multiple contempo password changes have not propagated.
Crypto subsystem error acquired by running out of retention.
SPN too long.
SPN has as well many parts.
0x3D KRB_ERR_FIELD_TOOLONG Field is too long for this implementation Each request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR) sent over the TCP stream is preceded past the length of the request every bit 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently exist set to cypher. If a KDC that does not understand how to interpret a set high scrap of the length encoding receives a request with the high club scrap of the length set, it MUST return a KRB-ERROR message with the error KRB_ERR_FIELD_TOOLONG and MUST shut the TCP stream.
0x3E KDC_ERR_CLIENT_NOT_TRUSTED The customer trust failed or is not implemented This typically happens when user'south smart-carte document is revoked or the root Certification Say-so that issued the smart bill of fare certificate (in a chain) is not trusted past the domain controller.
0x3F KDC_ERR_KDC_NOT_TRUSTED The KDC server trust failed or could not be verified The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC'southward public key document. If the KDC has no certificate signed by whatever of the trustedCertifiers, and then information technology returns an fault of blazon KDC_ERR_KDC_NOT_TRUSTED. Encounter RFC1510 for more than details.
0x40 KDC_ERR_INVALID_SIG The signature is invalid This error is related to PKINIT. If a PKI trust human relationship exists, the KDC and then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC_ERR_INVALID_SIG.
0x41 KDC_ERR_KEY_TOO_WEAK A higher encryption level is needed If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, and so the KDC checks to see that the parameters satisfy its policy. If they practice not (due east.g., the prime size is insufficient for the expected encryption blazon), and then the KDC sends back an mistake message of type KDC_ERR_KEY_TOO_WEAK.
0x42 KRB_AP_ERR_USER_TO_USER_REQUIRED User-to-user authorization is required In the instance that the customer application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB_AP_REP, the client will ship the KRB_AP_REP request, and the server will reply with a KRB_ERROR token equally described in RFC1964, with a msg-blazon of KRB_AP_ERR_USER_TO_USER_REQUIRED.
0x43 KRB_AP_ERR_NO_TGT No TGT was presented or available In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB_AP_ERR_NO_TGT.
0x44 KDC_ERR_WRONG_REALM Incorrect domain or master Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS.

Tabular array iii. TGT/TGS issue error codes

  • Ticket Encryption Type [Type = HexInt32]: the cryptographic suite that was used for issued TGT.

Tabular array iv. Kerberos encryption types

Type Type Name Clarification
0x1 DES-CBC-CRC Disabled by default starting from Windows 7 and Windows Server 2008 R2.
0x3 DES-CBC-MD5 Disabled by default starting from Windows vii and Windows Server 2008 R2.
0x11 AES128-CTS-HMAC-SHA1-96 Supported starting from Windows Server 2008 and Windows Vista.
0x12 AES256-CTS-HMAC-SHA1-96 Supported starting from Windows Server 2008 and Windows Vista.
0x17 RC4-HMAC Default suite for operating systems before Windows Server 2008 and Windows Vista.
0x18 RC4-HMAC-EXP Default suite for operating systems before Windows Server 2008 and Windows Vista.
0xFFFFFFFF or 0xffffffff - This type shows in Audit Failure events.
  • Pre-Authentication Type [Type = UnicodeString]: the code number of pre-Hallmark type which was used in TGT asking.

Table 5. Kerberos Pre-Authentication types

Type Type Name Description
0 - Logon without Pre-Hallmark.
two PA-ENC-TIMESTAMP This is a normal type for standard password authentication.
eleven PA-ETYPE-INFO The ETYPE-INFO pre-hallmark blazon is sent by the KDC in a KRB-Fault indicating a requirement for boosted pre-authentication. It is usually used to notify a client of which fundamental to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Hallmark Type in Microsoft Agile Directory environment.
fifteen PA-PK-AS-REP_OLD Used for Smart Card logon hallmark.
xvi PA-PK-As-REQ Request sent to KDC in Smart Card hallmark scenarios.
17 PA-PK-AS-REP This type should too be used for Smart Menu authentication, but in sure Active Directory environments, it is never seen.
xix PA-ETYPE-INFO2 The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. Information technology is usually used to notify a client of which key to employ for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environs.
20 PA-SVR-REFERRAL-INFO Used in KDC Referrals tickets.
138 PA-ENCRYPTED-CHALLENGE Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows eight clients.
- This type shows in Audit Failure events.

Document Data:

  • Certificate Issuer Proper noun [Type = UnicodeString]: the name of the Certification Authority that issued the smart card certificate. Populated in Issued past field in certificate.

  • Document Serial Number [Type = UnicodeString]: smart carte certificate's serial number. Can be found in Serial number field in the certificate.

  • Certificate Thumbprint [Blazon = UnicodeString]: smart card document's thumbprint. Can be found in Thumbprint field in the certificate.

Security Monitoring Recommendations

For 4768(Due south, F): A Kerberos authentication ticket (TGT) was requested.

Type of monitoring required Recommendation
Loftier-value accounts: You might take high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local ambassador account, domain administrators, service accounts, domain controller accounts and so on.		 Monitor this outcome with the "User ID" that corresponds to the loftier-value business relationship or accounts.
Anomalies or malicious actions: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, y'all might need to monitor for use of an account outside of working hours. When you monitor for anomalies or malicious actions, use the "User ID" (with other information) to monitor how or when a particular account is being used.
Not-active accounts: You might have not-agile, disabled, or guest accounts, or other accounts that should never be used. Monitor this event with the "User ID" that corresponds to the accounts that should never be used.
Account allowlist: You might have a specific allowlist of accounts that are the merely ones allowed to perform deportment respective to detail events. If this event corresponds to an "allowlist-only" action, review the "User ID" for accounts that are outside the allowlist.
External accounts: You might exist monitoring accounts from another domain, or "external" accounts that are not allowed to perform sure actions (represented by sure specific events). Monitor this outcome for the "Supplied Realm Proper noun" respective to another domain or "external" location.
Account naming conventions: Your arrangement might have specific naming conventions for account names. Monitor "User ID" for names that don't comply with naming conventions.

  • You tin can track all 4768 events where the Customer Address is not from your internal IP accost range or not from private IP accost ranges.

  • If yous know that Account Name should be used only from known list of IP addresses, track all Client Address values for this Account Name in 4768 events. If Client Address is non from the allowlist, generate the alert.

  • All Client Address = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, and then y'all need to monitor for all possible violations, where Client Address = ::1 and Account Proper noun is not allowed to log on to any domain controller.

  • All 4768 events with Client Port field value > 0 and < 1024 should be examined, considering a well-known port was used for outbound connexion.

  • Also consider monitoring the fields shown in the following table, to find the issues listed:

Field Issue to observe
Document Issuer Name Certification authority name is not from your PKI.
Certificate Issuer Proper noun Certification authority proper name is not authorized to issue smart menu authentication certificates.
Pre-Authentication Type Value is 0, which means that pre-authentication was not used. All accounts should use Pre-Hallmark, except accounts configured with "Do not crave Kerberos preauthentication," which is a security risk. For more information, encounter Table 5. Kerberos Pre-Authentication types.
Pre-Authentication Blazon Value is not 15 when account must utilise a smart menu for hallmark. For more than data, meet Table 5. Kerberos Pre-Authentication types.
Pre-Authentication Blazon Value is not 2 when but standard password authentication is in apply in the organization. For more than information, run across Table 5. Kerberos Pre-Authentication types.
Pre-Authentication Type Value is non 138 when Kerberos Armoring is enabled for all Kerberos communications in the system. For more information, see Table v. Kerberos Pre-Hallmark types.
Ticket Encryption Blazon Value is 0x1 or 0x3, which means the DES algorithm was used. DES should non be in use, because of low security and known vulnerabilities. It is disabled past default starting from Windows 7 and Windows Server 2008 R2. For more information, encounter Table 4. Kerberos encryption types.
Ticket Encryption Blazon Starting with Windows Vista and Windows Server 2008, monitor for values other than 0x11 and 0x12. These are the expected values, starting with these operating systems, and represent AES-family unit algorithms. For more than data, see Tabular array four. Kerberos encryption types.
Result Code 0x6 (The username doesn't be), if you see, for example N events in last North minutes. This tin exist an indicator of business relationship enumeration assault, especially for highly critical accounts.
Result Code 0x7 (Server not found in Kerberos database). This error tin can occur if the domain controller cannot find the server's name in Active Directory.
Result Code 0x8 (Multiple principal entries in KDC database). This will help you lot to detect duplicate SPNs faster.
Outcome Code 0x9 (The customer or server has a null fundamental (master key)). This mistake can help you to place problems with Kerberos authentication faster.
Result Lawmaking 0xA (Ticket (TGT) not eligible for postdating). Microsoft systems should not request postdated tickets. These events could help identify anomaly activity.
Consequence Code 0xC (Requested start time is later on than cease time), if you see, for example N events in final N minutes. This can be an indicator of an account compromise attempt, specially for highly critical accounts.
Consequence Code 0xE (KDC has no back up for encryption type). In general, this error occurs when the KDC or a client receives a bundle that it cannot decrypt. Monitor for these events because this should non happen in a standard Active Directory environment.
Result Code 0xF (KDC has no support for checksum blazon). Monitor for these events because this should not happen in a standard Agile Directory surroundings.
Upshot Code 0x12 (Customer's credentials have been revoked), if you lot see, for example N events in last N minutes. This tin be an indicator of bibelot action or brute-forcefulness attack, especially for highly critical accounts.
Result Code 0x1F (Integrity check on decrypted field failed). The authenticator was encrypted with something other than the session key. The issue is that the KDC cannot decrypt the TGT. The modification of the message could be the upshot of an attack or information technology could be because of network dissonance.
Result Lawmaking 0x22 (The request is a replay). This error indicates that a specific authenticator showed up twice—the KDC has detected that this session ticket duplicates one that it has already received. It could be a sign of assail try.
Result Lawmaking 0x29 (Bulletin stream modified and checksum didn't match). The hallmark information was encrypted with the wrong key for the intended server. The hallmark data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environs.
Effect Lawmaking 0x3C (Generic mistake). This error can help yous more speedily identify problems with Kerberos authentication.
Result Lawmaking 0x3E (The client trust failed or is not implemented). This mistake helps you place logon attempts with revoked certificates and the situations when the root Certification Authorization that issued the smart card certificate (through a concatenation) is non trusted by a domain controller.
Outcome Code 0x3F, 0x40, 0x41 errors. These errors tin assist y'all more than chop-chop identify smart-carte du jour related problems with Kerberos authentication.